ISE® North America 2015

ISE® North America

The ISE® North America Leadership Summit and Awards was held November 10-11, 2015 at the Westin Michigan Avenue in Chicago, IL. The awards recognize the information security executives and their teams who demonstrate outstanding leadership in risk management, data asset protection, regulatory compliance, privacy, and network security.

The ISE® North America Awards are held in conjunction with a two day Leadership Summit which includes keynote speakers, interactive roundtables moderated by the CISOs and VPs of participating companies, and hot topic panel discussions. The two day program offers the opportunity to meet with peers and leading IT executives from across the region to discuss and share insights into today's issues and solutions.

Unique to the ISE® North America Awards, both executive and project divisions offer recognition within industry classification, including Commercial, Financial Services, Health Care and Academic/Public Sector.

ISE® North America Project Award Winner 2015 - Commercial Category

AT&T’s Astra project is an innovative, cloud-based platform to protect all internal applications within the AT&T cloud environment. The Astra ecosystem and framework enables virtual security services to be delivered effortlessly via APIs and automated intelligent provisioning, creating micro-perimeters around specific applications based on application specific requirements. Using an Agile software development approach, the project integrated internally developed software with both open source and vendor solutions to create an extensible architecture, providing protection to AT&T’s enterprise network.

Over the last 12 months, rather than doing security projects or initiatives in a reactive manner, or reporting risks in “silos”, our CISO proposed that we implement a comprehensive program for Security and Risk Management that outlines a multi-layered approach to Security at the University. Our program includes major areas such as strategy, policies and standards, governance and operating model, management processes, management reporting, communication, training, and awareness. Using this program as our framework, the program team assessed the current status of controls/maturity on all categories, as well as the tools required, and then identified/planned and implemented multi-year Security and Risk Management initiatives, which were communicated across all stakeholders, and obtained CISO Executive sponsorship and alignment. These projects were all monitored and reported to senior management over the identified period.

The project was focused on transforming how application security was managed for DaVita HealthCare Partners’ complex ecosystem. The goal was to move from a one-man operation into a fully integrated program, built on a single platform that could scale with the business needs.

By May, 2015, DaVita has brought the software development lifecycle (SDLC) for 18 applications under automated security assessment, trained 90 developers around the world, established a secure mobile program, put a system in place to ensure that all third-party application used by DaVita HealthCare Partners are secure, and actively monitors all 141 of the company’s associated websites.

USAA continues to innovate in security, first with two-factor “Quick Logon” and now by providing a game changing experience of using facial or voice biometrics as a convenient and secure means of logging onto the USAA Mobile Application. This capability expands on our existing use of an embedded security token with our biometrics technology, eliminating the need for static usernames and passwords while improving the overall logon experience. This giant step directly addresses safeguarding personal information being harvested from data breaches and social engineering, by focusing on what you have and who you are and not on what you know.

ISE® North America People's Choice Award Winner 2015

Gary Hayslip
Deputy Director/CISOCity of San DiegoISE® West Executive of the Year Award Winner 2015
ISE® North America People's Choice Award Winner 2015Biography

Aaron's Secure Software Development Lifecycle is a unique fusion of advanced application security technologies with the company's agile software development methodology. By scanning application code for vulnerabilities as it's being written, this project enables Aaron's developers to seamlessly resolve identified issues, not only improving application quality and security but also accelerating application time-to-market and reduce costs substantially. Aaron's also made corporate-wide engagement a key part of the project by sharing application security testing results with everyone from senior management to store owners—not just developers—to promote collaboration and engagement with security as key enabler of business success.

This project successful eliminated all credit card (CC) data in affected systems by deploying Point to Point encryption (P2PE) and Tokenization. Using these two solutions the affected systems no longer see, process, or store CC data, protecting Caesars from breach or theft of that data. P2PE encrypts the CC numbers at the swipe preventing any memory scrape risks and tokenization replaces actual CC data with a token, randomized 16-character alphanumeric representation of the CC data.

Jabil’s global customer base is highly competitive regarding intellectual property, cutting edge innovation, and the secrecy surrounding new product launches. Losing this data would result in millions of dollars in contract fines, as well as, major loss of existing and future business. To minimize customer and Jabil risk, Jabil created and adopted a portfolio of security-as-a-service solutions in order to better protect and secure the company’s critical information. The security-as-a-service initiative spanned three areas: application access, data loss prevention and external threats. This project enables Jabil to close security gaps, have an accelerated rapid time to value, leverage its security technology and practices as a market differentiator and create a competitive business advantage in the marketplace.

The Supplier Risk Management program gauges each supplier’s capability to protect BCBSM/BCN’s sensitive information exchanged and computing assets provisioned, in the normal course of the business relationship, while adhering to established HIPAA/HITECH requirements and information security industry standards, by:

Business Resilience Program: Business Continuity Management (BCM) and Security Risk Management (SRM) responsibility has been somewhat of a conflict because, although it is important to have a plan for such an unlikely catastrophe, there are other serious risks that have a nearly certain likelihood of occurring. Risks like privacy, fraud and inaccurate data. Emotions run high in the face of rare and disastrous events, causing a rush to allocate funds and efforts to safeguard against them. HMS’s Integrated Business Resilience Program is part of a comprehensive SRM program, which allows a more reasoned and less emotional understanding of the universe of business risks faced by HMS. This program produces efficiencies with regards to how HMS reacts to catastrophic risk.

In order to support ADP’s continuing drive to increase the speed of our software development release cycles, we have implemented an integrated automated application security testing technology into our quality assurance testing processes. This technology provides the following benefits:

Provides continual analysis of application code running Java or .NET

Finds vulnerabilities in real-time

Allows development teams vision into potential security issues as code is moved into the QA environment

Allows for minor release testing to be performed without direct interaction with the security testing team

Janus utilized Elasticsearch, Logstash and Kibana (big data technologies) to drive an internal security analytics program. The open source tools were used to pull in relevant security log information and provide an interface to rapidly search security relevant information. The project had zero dollar cost in software licensing and reduced incident response times by fifty percent.